NAME

DESCRIPTION

This document describes the differences between the 5.24.0 release and the
5.26.0 release.

Notice

This release includes three updates with widespread effects:

"."
no longer in @INC

For security reasons, the current directory ("."
) is no longer included
by default at the end of the module search path (@INC
). This may have
widespread implications for the building, testing and installing of
modules, and for the execution of scripts. See the section
Removal of the current directory (. ) from @INC
for the full details.

Core Enhancements

Lexical subroutines are no longer experimental

Using the lexical_subs
feature introduced in v5.18 no longer emits a warning. Existing
code that disables the experimental::lexical_subs
warning category
that the feature previously used will continue to work. The
lexical_subs
feature has no effect; all Perl code can use lexical
subroutines, regardless of what feature declarations are in scope.

Indented Here-documents

This adds a new modifier "~"
to here-docs that tells the parser
that it should look for /^\s*$DELIM\n/
as the closing delimiter.

These syntaxes are all supported:

<<~EOF;

<<~\EOF;

<<~'EOF';

<<~"EOF";

<<~`EOF`;

<<~ 'EOF';

<<~ "EOF";

<<~ `EOF`;

The "~"
modifier will strip, from each line in the here-doc, the
same whitespace that appears before the delimiter.

Newlines will be copied as-is, and lines that don't include the
proper beginning whitespace will cause perl to croak.

New regular expression modifier /xx

Specifying two "x"
characters to modify a regular expression pattern
does everything that a single one does, but additionally TAB and SPACE
characters within a bracketed character class are generally ignored and
can be added to improve readability, like
/[ ^ A-Z d-f p-x ]/xx
. Details are at
/x and /xx in perlre.

@{^CAPTURE}
, %{^CAPTURE}
, and %{^CAPTURE_ALL}

@{^CAPTURE}
exposes the capture buffers of the last match as an
array. So $1
is ${^CAPTURE}[0]
. This is a more efficient equivalent
to code like substr($matched_string,$-[0],$+[0]-$-[0]), and you don't
have to keep track of the $matched_string
either. This variable has no
single character equivalent. Note that, like the other regex magic variables,
the contents of this variable is dynamic; if you wish to store it beyond
the lifetime of the match you must copy it to another array.

%{^CAPTURE}
is equivalent to %+
(i.e., named captures). Other than
being more self-documenting there is no difference between the two forms.

%{^CAPTURE_ALL}
is equivalent to %-
(i.e., all named captures).
Other than being more self-documenting there is no difference between the
two forms.

Declaring a reference to a variable

As an experimental feature, Perl now allows the referencing operator to come
after my, state,
our, or local. This syntax must
be enabled with usefeature'declared_refs'
. It is experimental, and will
warn by default unless nowarnings'experimental::refaliasing'
is in effect.
It is intended mainly for use in assignments to references. For example:

Use of \p{script} uses the improved Script_Extensions property

Unicode 6.0 introduced an improved form of the Script (sc
) property, and
called it Script_Extensions (scx
). Perl now uses this improved
version when a property is specified as just \p{script}. This
should make programs more accurate when determining if a character is
used in a given script, but there is a slight chance of breakage for
programs that very specifically needed the old behavior. The meaning of
compound forms, like \p{sc=script} are unchanged. See
Scripts in perlunicode.

Perl can now do default collation in UTF-8 locales on platforms
that support it

CORE
subroutines for hash and array functions callable via
reference

The hash and array functions in the CORE
namespace (keys, each,
values, push, pop, shift, unshift and splice) can now
be called with ampersand syntax (&CORE::keys(\%hash
) and via reference
(my$k = \&CORE::keys;$k->(\%hash)
). Previously they could only be
used when inlined.

New Hash Function For 64-bit Builds

We have switched to a hybrid hash function to better balance
performance for short and long keys.

For short keys, 16 bytes and under, we use an optimised variant of
One At A Time Hard, and for longer keys we use Siphash 1-3. For very
long keys this is a big improvement in performance. For shorter keys
there is a modest improvement.

Security

Removal of the current directory ("."
) from @INC

The perl binary includes a default set of paths in @INC
. Historically
it has also included the current directory ("."
) as the final entry,
unless run with taint mode enabled (perl -T
). While convenient, this has
security implications: for example, where a script attempts to load an
optional module when its current directory is untrusted (such as /tmp),
it could load and execute code from under that directory.

Starting with v5.26, "."
is always removed by default, not just under
tainting. This has major implications for installing modules and executing
scripts.

The following new features have been added to help ameliorate these
issues.

Configure -Udefault_inc_excludes_dot

There is a new Configure option, default_inc_excludes_dot
(enabled
by default) which builds a perl executable without "."
; unsetting this
option using -U
reverts perl to the old behaviour. This may fix your
path issues but will reintroduce all the security concerns, so don't
build a perl executable like this unless you're really confident that
such issues are not a concern in your environment.

PERL_USE_UNSAFE_INC

There is a new environment variable recognised by the perl interpreter.
If this variable has the value 1 when the perl interpreter starts up,
then "."
will be automatically appended to @INC
(except under tainting).

This allows you restore the old perl interpreter behaviour on a
case-by-case basis. But note that this is intended to be a temporary crutch,
and this feature will likely be removed in some future perl version.
It is currently set by the cpan
utility and Test::Harness
to
ease installation of CPAN modules which have not been updated to handle the
lack of dot. Once again, don't use this unless you are sure that this
will not reintroduce any security concerns.

While it is well-known that use and require use @INC
to search
for the file to load, many people don't realise that do"file"
also
searches @INC
if the file is a relative path. With the removal of "."
,
a simple do"file.pl"
will fail to read in and execute file.pl
from
the current directory. Since this is commonly expected behaviour, a new
deprecation warning is now issued whenever do fails to load a file which
it otherwise would have found if a dot had been in @INC
.

Here are some things script and module authors may need to do to make
their software work in the new regime.

Script authors

If the issue is within your own code (rather than within included
modules), then you have two main options. Firstly, if you are confident
that your script will only be run within a trusted directory (under which
you expect to find trusted files and modules), then add "."
back into the
path; e.g.:

On the other hand, if your script is intended to be run from within
untrusted directories (such as /tmp), then your script suddenly failing
to load files may be indicative of a security issue. You most likely want
to replace any relative paths with full paths; for example,

If you install a CPAN module using an automatic tool like cpan
, then
this tool will itself set the PERL_USE_UNSAFE_INC
environment variable
while building and testing the module, which may be sufficient to install
a distribution which hasn't been updated to be dot-aware. If you want to
install such a module manually, then you'll need to replace the
traditional invocation:

perlMakefile.PL && make && maketest && makeinstall

with something like

(exportPERL_USE_UNSAFE_INC=1; \

perlMakefile.PL && make && maketest && makeinstall)

Note that this only helps build and install an unfixed module. It's
possible for the tests to pass (since they were run under
PERL_USE_UNSAFE_INC=1
), but for the module itself to fail to perform
correctly in production. In this case, you may have to temporarily modify
your script until a fixed version of the module is released.
For example:

This is only rarely expected to be necessary. Again, if doing this,
assess the resultant risks first.

Module Authors

If you maintain a CPAN distribution, it may need updating to run in
a dotless environment. Although cpan
and other such tools will
currently set the PERL_USE_UNSAFE_INC
during module build, this is a
temporary workaround for the set of modules which rely on "."
being in
@INC
for installation and testing, and this may mask deeper issues. It
could result in a module which passes tests and installs, but which
fails at run time.

During build, test, and install, it will normally be the case that any perl
processes will be executing directly within the root directory of the
untarred distribution, or a known subdirectory of that, such as t/. It
may well be that Makefile.PL or t/foo.t will attempt to include
local modules and configuration files using their direct relative
filenames, which will now fail.

However, as described above, automatic tools like cpan will (for now)
set the PERL_USE_UNSAFE_INC
environment variable, which introduces
dot during a build.

This makes it likely that your existing build and test code will work, but
this may mask issues with your code which only manifest when used after
install. It is prudent to try and run your build process with that
variable explicitly disabled:

(exportPERL_USE_UNSAFE_INC=0; \

perlMakefile.PL && make && maketest && makeinstall)

This is more likely to show up any potential problems with your module's
build process, or even with the module itself. Fixing such issues will
ensure both that your module can again be installed manually, and that
it will still build once the PERL_USE_UNSAFE_INC
crutch goes away.

When fixing issues in tests due to the removal of dot from @INC
,
reinsertion of dot into @INC
should be performed with caution, for this
too may suppress real errors in your runtime code. You are encouraged
wherever possible to apply the aforementioned approaches with explicit
absolute/relative paths, or to relocate your needed files into a
subdirectory and insert that subdirectory into @INC
instead.

If your runtime code has problems under the dotless @INC
, then the comments
above on how to fix for script authors will mostly apply here too. Bear in
mind though that it is considered bad form for a module to globally add a dot to
@INC
, since it introduces both a security risk and hides issues of
accidentally requiring dot in @INC
, as explained above.

Escaped colons and relative paths in PATH

On Unix systems, Perl treats any relative paths in the PATH
environment
variable as tainted when starting a new process. Previously, it was
allowing a backslash to escape a colon (unlike the OS), consequently
allowing relative paths to be considered safe if the PATH was set to
something like /\:.
. The check has been fixed to treat "."
as tainted
in that example.

New -Di
switch is now required for PerlIO debugging output

This is used for debugging of code within PerlIO to avoid recursive
calls. Previously this output would be sent to the file specified
by the PERLIO_DEBUG
environment variable if perl wasn't running
setuid and the -T
or -t
switches hadn't been parsed yet.

If perl performed output at a point where it hadn't yet parsed its
switches this could result in perl creating or overwriting the file
named by PERLIO_DEBUG
even when the -T
switch had been supplied.

Perl now requires the -Di
switch to be present before it will produce
PerlIO debugging
output. By default this is written to stderr
, but can optionally
be redirected to a file by setting the PERLIO_DEBUG
environment
variable.

If perl is running setuid or the -T
switch was supplied,
PERLIO_DEBUG
is ignored and the debugging output is sent to
stderr
as for any other -D
switch.

Incompatible Changes

You have to now say something like "\{"
or "[{]"
to specify to
match a LEFT CURLY BRACKET; otherwise, it is a fatal pattern compilation
error. This change will allow future extensions to the language.

These have been deprecated since v5.16, with a deprecation message
raised for some uses starting in v5.22. Unfortunately, the code added
to raise the message was buggy and failed to warn in some cases where
it should have. Therefore, enforcement of this ban for these cases is
deferred until Perl 5.30, but the code has been fixed to raise a
default-on deprecation message for them in the meantime.

Some uses of literal "{"
occur in contexts where we do not foresee
the meaning ever being anything but the literal, such as the very first
character in the pattern, or after a "|"
meaning alternation. Thus

qr/{fee|{fie/

matches either of the strings {fee
or {fie
. To avoid forcing
unnecessary code changes, these uses do not need to be escaped, and no
warning is raised about them, and there are no current plans to change this.

But it is always correct to escape "{"
, and the simple rule to
remember is to always do so.

This makes the lvalue sub case consistent with (keys%hash) = ...
and
(keys@_) = ...
, which are also errors.
[perl #128187]

The ${^ENCODING}
facility has been removed

The special behaviour associated with assigning a value to this variable
has been removed. As a consequence, the encoding pragma's default mode
is no longer supported. If
you still need to write your source code in encodings other than UTF-8, use a
source filter such as Filter::Encoding on CPAN or encoding's Filter
option.

POSIX::tmpnam()
has been removed

The fundamentally unsafe tmpnam()
interface was deprecated in
Perl 5.22 and has now been removed. In its place, you can use,
for example, the File::Temp interfaces.

require ::Foo::Bar is now illegal.

Formerly, require::Foo::Bar
would try to read /Foo/Bar.pm. Now any
bareword require which starts with a double colon dies instead.

Literal control character variable names are no longer permissible

A variable name may no longer contain a literal control character under
any circumstances. These previously were allowed in single-character
names on ASCII platforms, but have been deprecated there since Perl
5.20. This affects things like $\cT, where \cT is a literal
control (such as a NAK
or NEGATIVEACKNOWLEDGE
character) in the
source code.

NBSP
is no longer permissible in \N{...}

The name of a character may no longer contain non-breaking spaces. It
has been deprecated to do so since Perl 5.22.

Deprecations

String delimiters that aren't stand-alone graphemes are now deprecated

For Perl to eventually allow string delimiters to be Unicode
grapheme clusters (which look like a single character, but may be
a sequence of several ones), we have to stop allowing a single character
delimiter that isn't a grapheme by itself. These are unlikely to exist
in actual code, as they would typically display as attached to the
character in front of them.

\cX that maps to a printable is no longer deprecated

This means we have no plans to remove this feature. It still raises a
warning, but only if syntax warnings are enabled. The feature was
originally intended to be a way to express non-printable characters that
don't have a mnemonic (\t
and \n
are mnemonics for two
non-printable characters, but most non-printables don't have a
mnemonic.) But the feature can be used to specify a few printable
characters, though those are more clearly expressed as the printable
itself. See
http://www.nntp.perl.org/group/perl.perl5.porters/2017/02/msg242944.html.

Performance Enhancements

This was already special-cased, but some cases were missed (such as
grep%$_,@AoH
), and even the ones which weren't have been improved.

New Faster Hash Function on 64 bit builds

We use a different hash function for short and long keys. This should
improve performance and security, especially for long keys.

readline is faster

Reading from a file line-by-line with readline() or <>
should
now typically be faster due to a better implementation of the code that
searches for the next newline character.

Assigning one reference to another, e.g.$ref1 = $ref2
has been
optimized in some cases.

Remove some exceptions to creating Copy-on-Write strings. The string
buffer growth algorithm has been slightly altered so that you're less
likely to encounter a string which can't be COWed.

Better optimise array and hash assignment: where an array or hash appears
in the LHS of a list assignment, such as (...,@a) = (...);
, it's
likely to be considerably faster, especially if it involves emptying the
array/hash. For example, this code runs about a third faster compared to
Perl 5.24.0:

The rather slow implementation for the experimental subroutine signatures
feature has been made much faster; it is now comparable in speed with the
traditional my($a,$b,@c) = @_
.

Bareword constant strings are now permitted to take part in constant
folding. They were originally exempted from constant folding in August 1999,
during the development of Perl 5.6, to ensure that usestrict"subs"
would still apply to bareword constants. That has now been accomplished a
different way, so barewords, like other constants, now gain the performance
benefits of constant folding.

This also means that void-context warnings on constant expressions of
barewords now report the folded constant operand, rather than the operation;
this matches the behaviour for non-bareword constants.

This adds support for the new /xx
regular expression pattern modifier, and a change to the use re 'strict' experimental feature. When re'strict'
is enabled, a warning now will be generated for all
unescaped uses of the two characters "}"
and "]"
in regular
expression patterns (outside bracketed character classes) that are taken
literally. This brings them more in line with the ")"
character which
is always a metacharacter unless escaped. Being a metacharacter only
sometimes, depending on an action at a distance, can lead to silently
having the pattern mean something quite different than was intended,
which the re'strict'
mode is intended to minimize.

Documentation

New Documentation

This file documents all upcoming deprecations, and some of the deprecations
which already have been removed. The purpose of this documentation is
two-fold: document what will disappear, and by which version, and serve
as a guide for people dealing with code which has features that no longer
work after an upgrade of their perl.

Changes to Existing Documentation

We have attempted to update the documentation to reflect the changes
listed in this document. If you find any we have missed, send email to
perlbug@perl.org.

Additionally, all references to Usenet have been removed, and the
following selected changes have been made:

(A) You've accidentally run your script through bash or another shell
instead of Perl. Check the #!
line, or manually feed your script into
Perl yourself. The #!
line at the top of your file could look like:

(A) You've accidentally run your script through zsh or another shell
instead of Perl. Check the #!
line, or manually feed your script into
Perl yourself. The #!
line at the top of your file could look like:

Using the empty pattern (which re-executes the last successfully-matched
pattern) inside a code block in another regex, as in /(?{ s!!new! })/
, has
always previously yielded a segfault. It now produces this error.

New Warnings

(S experimental::declared_refs) This warning is emitted if you use a reference
constructor on the right-hand side of my(), state(), our(), or
local(). Simply suppress the warning if you want to use the feature, but
know that in doing so you are taking the risk of using an experimental feature
which may change or be removed in a future Perl version:

The special action of the variable ${^ENCODING}
was formerly used to
implement the encoding
pragma. As of Perl 5.26, rather than being
deprecated, assigning to this variable now has no effect except to issue
the warning.

Porting/checkAUTHORS.pl

t/porting/regen.t

utils/h2xs.PL

Long lines in the message body are now wrapped at 900 characters, to stay
well within the 1000-character limit imposed by SMTP mail transfer agents.
This is particularly likely to be important for the list of arguments to
Configure, which can readily exceed the limit if, for example, it names
several non-default installation paths. This change also adds the first unit
tests for perlbug.
[perl #128020]

Configuration and Compilation

If the -xnolibs
is available, use that so a dtrace perl can be
built within a FreeBSD jail.

On systems that build a dtrace object file (FreeBSD, Solaris, and
SystemTap's dtrace emulation), copy the input objects to a separate
directory and process them there, and use those objects in the link,
since dtrace -G
also modifies these objects.

Add libelf to the build on FreeBSD 10.x, since dtrace adds
references to libelf symbols.

Generate a dummy dtrace_main.o if dtrace -G
fails to build it. A
default build on Solaris generates probes from the unused inline
functions, while they don't on FreeBSD, which causes dtrace -G
to
fail.

You can now disable perl's use of the PERL_HASH_SEED
and
PERL_PERTURB_KEYS
environment variables by configuring perl with
-Accflags=NO_PERL_HASH_ENV
.

You can now disable perl's use of the PERL_HASH_SEED_DEBUG
environment
variable by configuring perl with
-Accflags=-DNO_PERL_HASH_SEED_DEBUG
.

Configure now zeroes out the alignment bytes when calculating the bytes
for 80-bit NaN
and Inf
to make builds more reproducible.
[perl #130133]

Since v5.18, for testing purposes we have included support for
building perl with a variety of non-standard, and non-recommended
hash functions. Since we do not recommend the use of these functions,
we have removed them and their corresponding build options. Specifically
this includes the following build options:

PERL_HASH_FUNC_SDBM

PERL_HASH_FUNC_DJB2

PERL_HASH_FUNC_SUPERFAST

PERL_HASH_FUNC_MURMUR3

PERL_HASH_FUNC_ONE_AT_A_TIME

PERL_HASH_FUNC_ONE_AT_A_TIME_OLD

PERL_HASH_FUNC_MURMUR_HASH_64A

PERL_HASH_FUNC_MURMUR_HASH_64B

Remove "Warning: perl appears in your path"

This install warning is more or less obsolete, since most platforms already
will have a /usr/bin/perl or similar provided by the OS.

Reduce verbosity of makeinstall.man

Previously, two progress messages were emitted for each manpage: one by
installman itself, and one by the function in install_lib.pl that it calls to
actually install the file. Disabling the second of those in each case saves
over 750 lines of unhelpful output.

Several smaller changes have been made to remove impediments to compiling
under C++11.

Builds using USE_PAD_RESET
now work again; this configuration had
bit-rotted.

A probe for gai_strerror
was added to Configure that checks if
the gai_strerror()
routine is available and can be used to
translate error codes returned by getaddrinfo()
into human
readable strings.

Configure now aborts if both -Duselongdouble
and -Dusequadmath
are
requested.
[perl #126203]

Fixed a bug in which Configure could append -quadmath
to the
archname even if it was already present.
[perl #128538]

Clang builds with -DPERL_GLOBAL_STRUCT
or
-DPERL_GLOBAL_STRUCT_PRIVATE
have
been fixed (by disabling Thread Safety Analysis for these configurations).

make_ext.pl no longer updates a module's pm_to_blib file when no
files require updates. This could cause dependencies, perlmain.c
in particular, to be rebuilt unnecessarily.
[perl #126710]

The output of perl -V
has been reformatted so that each configuration
and compile-time option is now listed one per line, to improve
readability.

Configure now builds miniperl
and generate_uudmap
if you
invoke it with -Dusecrosscompiler
but not -Dtargethost=somehost
.
This means you can supply your target platform config.sh
, generate
the headers and proceed to build your cross-target perl.
[perl #127234]

Perl built with -Accflags=-DPERL_TRACE_OPS
now only dumps the operator
counts when the environment variable PERL_TRACE_OPS
is set to a
non-zero integer. This allows maketest
to pass on such a build.

When building with GCC 6 and link-time optimization (the -flto
option to
gcc
), Configure was treating all probed symbols as present on the
system, regardless of whether they actually exist. This has been fixed.
[perl #128131]

The t/test.pl library is used for internal testing of Perl itself, and
also copied by several CPAN modules. Some of those modules must work on
older versions of Perl, so t/test.pl must in turn avoid newer Perl
features. Compatibility with Perl 5.8 was inadvertently removed some time
ago; it has now been restored.
[perl #128052]

The build process no longer emits an extra blank line before building each
"simple" extension (those with only *.pm and *.pod files).

Testing

Tests were added and changed to reflect the other additions and changes
in this release. Furthermore, these substantive changes were made:

A new test script, comp/parser_run.t, has been added that is like
comp/parser.t but with test.pl included so that runperl()
and the
like are available for use.

Tests for locales were erroneously using locales incompatible with Perl.

Some parts of the test suite that try to exhaustively test edge cases in the
regex implementation have been restricted to running for a maximum of five
minutes. On slow systems they could otherwise take several hours, without
significantly improving our understanding of the correctness of the code
under test.

A new internal facility allows analysing the time taken by the individual
tests in Perl's own test suite; see Porting/harness-timer-report.pl.

t/re/regexp_nonull.t has been added to test that the regular expression
engine can handle scalars that do not have a null byte just past the end of
the string.

A new test script, t/re/keep_tabs.t has been added to contain tests
where \t
characters should not be expanded into spaces.

A new test script, t/re/anyof.t, has been added to test that the ANYOF nodes
generated by bracketed character classes are as expected.

There is now more extensive testing of the Unicode-related API macros
and functions.

Several of the longer running API test files have been split into
multiple test files so that they can be run in parallel.

t/harness now tries really hard not to run tests which are located
outside of the Perl source tree.
[perl #124050]

Prevent debugger tests (lib/perl5db.t) from failing due to the contents
of $ENV{PERLDB_OPTS}
.
[perl #130445]

Platform Support

New Platforms

NetBSD/VAX

Perl now compiles under NetBSD on VAX machines. However, it's not
possible for that platform to implement floating-point infinities and
NaNs compatible with most modern systems, which implement the IEEE-754
floating point standard. The hexadecimal floating point (0x...p[+-]n
literals, printf%a
) is not implemented, either.
The maketest
passes 98% of tests.

Test fixes and minor updates.

Account for lack of inf
, nan
, and -0.0
support.

Platform-Specific Notes

Darwin

Don't treat -Dprefix=/usr
as special: instead require an extra option
-Ddarwin_distribution
to produce the same results.

The hints for Hurd have been improved, enabling malloc wrap and reporting the
GNU libc used (previously it was an empty string when reported).

VAX

VAX floating point formats are now supported on NetBSD.

VMS

The path separator for the PERL5LIB
and PERLLIB
environment entries is
now a colon (":"
) when running under a Unix shell. There is no change when
running under DCL (it's still "|"
).

configure.com now recognizes the VSI-branded C compiler and no longer
recognizes the "DEC"-branded C compiler (as there hasn't been such a thing for
15 or more years).

Windows

Support for compiling perl on Windows using Microsoft Visual Studio 2015
(containing Visual C++ 14.0) has been added.

This version of VC++ includes a completely rewritten C run-time library, some
of the changes in which mean that work done to resolve a socket
close() bug in
perl #120091 and perl #118059 is not workable in its current state with this
version of VC++. Therefore, we have effectively reverted that bug fix for
VS2015 onwards on the basis that being able to build with VS2015 onwards is
more important than keeping the bug fix. We may revisit this in the future to
attempt to fix the bug again in a way that is compatible with VS2015.

These changes do not affect compilation with GCC or with Visual Studio versions
up to and including VS2013, i.e., the bug fix is retained (unchanged) for those
compilers.

Note that you may experience compatibility problems if you mix a perl built
with GCC or VS <= VS2013 with XS modules built with VS2015, or if you mix a
perl built with VS2015 with XS modules built with GCC or VS <= VS2013.
Some incompatibility may arise because of the bug fix that has been reverted
for VS2015 builds of perl, but there may well be incompatibility anyway because
of the rewritten CRT in VS2015 (e.g., see discussion at
http://stackoverflow.com/questions/30412951).

It now automatically detects GCC versus Visual C and sets the VC version
number on Win32.

Linux

Drop support for Linux a.out executable format. Linux has used ELF for
over twenty years.

OpenBSD 6

OpenBSD 6 still does not support returning pid
, gid
, or uid
with
SA_SIGINFO
. Make sure to account for it.

Internal Changes

A new API function sv_setpv_bufsize()
allows simultaneously setting the
length and the allocated size of the buffer in an SV
, growing the
buffer if necessary.

A new API macro SvPVCLEAR() sets its SV
argument to an empty string,
like Perl-space $x = ''
, but with several optimisations.

Several new macros and functions for dealing with Unicode and
UTF-8-encoded strings have been added to the API, as well as some
changes in the
functionality of existing functions (see Unicode Support in perlapi for
more details):

New versions of the API macros like isALPHA_utf8
and toLOWER_utf8
have been added, each with the suffix _safe
, like
isSPACE_utf8_safe . These take an extra
parameter, giving an upper
limit of how far into the string it is safe to read. Using the old
versions could cause attempts to read beyond the end of the input buffer
if the UTF-8 is not well-formed, and their use now raises a deprecation
warning. Details are at Character classification in perlapi.

Macros like isALPHA_utf8 and
toLOWER_utf8 now die if they detect
that their input UTF-8 is malformed. A deprecation warning had been
issued since Perl 5.18.

Several new macros for analysing the validity of utf8 sequences. These
are:

The functions utf8n_to_uvchr and its
derivatives have had several changes of behaviour.

Calling them, while passing a string length of 0 is now asserted against
in DEBUGGING builds, and otherwise, returns the Unicode REPLACEMENT
CHARACTER. If you have nothing to decode, you shouldn't call the decode
function.

They now return the Unicode REPLACEMENT CHARACTER if called with UTF-8
that has the overlong malformation and that malformation is allowed by
the input parameters. This malformation is where the UTF-8 looks valid
syntactically, but there is a shorter sequence that yields the same code
point. This has been forbidden since Unicode version 3.1.

They now accept an input
flag to allow the overflow malformation. This malformation is when the
UTF-8 may be syntactically valid, but the code point it represents is
not capable of being represented in the word length on the platform.
What "allowed" means, in this case, is that the function doesn't return an
error, and it advances the parse pointer to beyond the UTF-8 in
question, but it returns the Unicode REPLACEMENT CHARACTER as the value
of the code point (since the real value is not representable).

They no longer abandon searching for other malformations when the first
one is encountered. A call to one of these functions thus can generate
multiple diagnostics, instead of just one.

valid_utf8_to_uvchr() has been added
to the API (although it was
present in core earlier). Like utf8_to_uvchr_buf()
, but assumes that
the next character is well-formed. Use with caution.

A new function, utf8n_to_uvchr_error ,
has been added for
use by modules that need to know the details of UTF-8 malformations
beyond pass/fail. Previously, the only ways to know why a sequence was
ill-formed was to capture and parse the generated diagnostics or to do
your own analysis.

There is now a safer version of utf8_hop(), called
utf8_hop_safe() .
Unlike utf8_hop(), utf8_hop_safe() won't navigate before the beginning or
after the end of the supplied buffer.

Perl is now built with the PERL_OP_PARENT
compiler define enabled by
default. To disable it, use the PERL_NO_OP_PARENT
compiler define.
This flag alters how the op_sibling
field is used in OP
structures,
and has been available optionally since perl 5.22.

Three new ops, OP_ARGELEM
, OP_ARGDEFELEM
, and OP_ARGCHECK
have
been added. These are intended principally to implement the individual
elements of a subroutine signature, plus any overall checking required.

The OP_PUSHRE
op has been eliminated and the OP_SPLIT
op has been
changed from class LISTOP
to PMOP
.

Formerly the first child of a split would be a pushre
, which would have the
split's regex attached to it. Now the regex is attached directly to the
split op, and the pushre
has been eliminated.

The op_class() API function has been added. This
is like the existing
OP_CLASS()
macro, but can more accurately determine what struct an op
has been allocated as. For example OP_CLASS()
might return
OA_BASEOP_OR_UNOP
indicating that ops of this type are usually
allocated as an OP
or UNOP
; while op_class()
will return
OPclass_BASEOP
or OPclass_UNOP
as appropriate.

All parts of the internals now agree that the sassign
op is a BINOP
;
previously it was listed as a BASEOP
in regen/opcodes, which meant
that several parts of the internals had to be special-cased to accommodate
it. This oddity's original motivation was to handle code like $x ||= 1
;
that is now handled in a simpler way.

The output format of the op_dump() function (as
used by perl -Dx
)
has changed: it now displays an "ASCII-art" tree structure, and shows more
low-level details about each op, such as its address and class.

The PADOFFSET
type has changed from being unsigned to signed, and
several pad-related variables such as PL_padix
have changed from being
of type I32
to type PADOFFSET
.

The DEBUGGING
-mode output for regex compilation and execution has been
enhanced.

Code like $value1 =~ qr/.../ ~~ $value2
would have the match
converted into a qr// operator, leaving extra elements on the stack to
confuse any surrounding expression.
[perl #130705]

Since v5.24 in some obscure cases, a regex which included code blocks
from multiple sources (e.g., via embedded via qr// objects) could end up
with the wrong current pad and crash or give weird results.
[perl #129881]

Occasionally local()s in a code block within a patterns weren't being
undone when the pattern matching backtracked over the code block.
[perl #126697]

Under useutf8
, the entire source code is now checked for being UTF-8
well formed, not just quoted strings as before.
[perl #126310].

The range operator ".."
on strings now handles its arguments correctly when in
the scope of the unicode_strings
feature. The previous behaviour was sufficiently unexpected that we believe no
correct program could have made use of it.

The split operator did not ensure enough space was allocated for
its return value in scalar context. It could then write a single
pointer immediately beyond the end of the memory block allocated for
the stack.
[perl #130262]

Using a large code point with the "W"
pack template character with
the current output position aligned at just the right point could
cause a write of a single zero byte immediately beyond the end of an
allocated buffer.
[perl #129149]

Supplying a format's picture argument as part of the format argument list
where the picture specifies modifying the argument could cause an
access to the new freed compiled form.at.
[perl #129125]

The sort operator's built-in numeric comparison
function didn't handle large integers that weren't exactly
representable by a double. This now uses the same code used to
implement the <=>
operator.
[perl #130335]

Fix an assertion error which could be triggered when a lookahead string
in patterns exceeded a minimum length.
[perl #130522].

Only warn once per literal number about a misplaced "_"
.
[perl #70878].

The tr/// parse code could be looking at uninitialized data after a
perse error.
[perl #129342].

In a pattern match, a back-reference (\1
) to an unmatched capture could
read back beyond the start of the string being matched.
[perl #129377].

usere'strict'
is supposed to warn if you use a range (such as
/(?[ [ X-Y ] ])/
) whose start and end digit aren't from the same group
of 10. It didn't do that for five groups of mathematical digits starting
at U+1D7E
.

A sub containing a "forward" declaration with the same name (e.g.,
sub c{ sub c;}
) could sometimes crash or loop infinitely.
[perl #129090]

A crash in executing a regex with a non-anchored UTF-8 substring against a
target string that also used UTF-8 has been fixed.
[perl #129350]

Previously, a shebang line like #!perl -i u
could be erroneously
interpreted as requesting the -u
option. This has been fixed.
[perl #129336]

The regex engine was previously producing incorrect results in some rare
situations when backtracking past an alternation that matches only one
thing; this
showed up as capture buffers ($1
, $2
, etc.) erroneously containing data
from regex execution paths that weren't actually executed for the final
match.
[perl #129897]

Certain regexes making use of the experimental regex_sets
feature could
trigger an assertion failure. This has been fixed.
[perl #129322]

Autoloading via a method call would warn erroneously ("Use of inherited
AUTOLOAD for non-method") if there was a stub present in the package into
which the invocant had been blessed. The warning is no longer emitted in
such circumstances.
[perl #47047]

The use of splice on arrays with non-existent elements could cause other
operators to crash.
[perl #129164]

Fixed a crash with s///l where it thought it was dealing with UTF-8
when it wasn't.
[perl #129038]

Fixed a place where the regex parser was not setting the syntax error
correctly on a syntactically incorrect pattern.
[perl #129122]

The &.
operator (and the "&"
operator, when it treats its arguments as
strings) were failing to append a trailing null byte if at least one string
was marked as utf8 internally. Many code paths (system calls, regexp
compilation) still expect there to be a null byte in the string buffer
just past the end of the logical string. An assertion failure was the
result.
[perl #129287]

Avoid a heap-after-use error in the parser when creating an error messge
for a syntactically invalid heredoc.
[perl #128988]

Fix a segfault when run with -DC
options on DEBUGGING builds.
[perl #129106]

Fixed the parser error handling in subroutine attributes for an
':attr(foo
' that does not have an ending '")"
'.

Fix the perl lexer to correctly handle a backslash as the last char in
quoted-string context. This actually fixed two bugs,
[perl #129064] and
[perl #129176].

Problems with in-place array sorts: code like @a = sort{ ... }@a
,
where the source and destination of the sort are the same plain array, are
optimised to do less copying around. Two side-effects of this optimisation
were that the contents of @a
as seen by sort routines were
partially sorted; and under some circumstances accessing @a
during the
sort could crash the interpreter. Both these issues have been fixed, and
Sort functions see the original value of @a
.
[perl #128340]

pack("p", ...)
used to emit its warning ("Attempt to pack pointer to
temporary value") erroneously in some cases, but has been fixed.

@DB::args
is now exempt from "used once" warnings. The warnings only
occurred under -w, because warnings.pm itself uses @DB::args
multiple times.

The use of built-in arrays or hash slices in a double-quoted string no
longer issues a warning ("Possible unintended interpolation...") if the
variable has not been mentioned before. This affected code like
qq|@DB::args| and qq|@SIG{'CHLD', 'HUP'}|
. (The special variables
@-
and @+
were already exempt from the warning.)

gethostent and similar functions now perform a null check internally, to
avoid crashing with the torsocks library. This was a regression from v5.22.
[perl #128740]

defined*{'!'}
, defined*{'['}
, and defined*{'-'}
no longer leak
memory if the typeglob in question has never been accessed before.

Mentioning the same constant twice in a row (which is a syntax error) no
longer fails an assertion under debugging builds. This was a regression
from v5.20.
[perl #126482]

Many issues relating to printf"%a"
of hexadecimal floating point
were fixed. In addition, the "subnormals" (formerly known as "denormals")
floating point numbers are now supported both with the plain IEEE 754
floating point numbers (64-bit or 128-bit) and the x86 80-bit
"extended precision". Note that subnormal hexadecimal floating
point literals will give a warning about "exponent underflow".
[perl #128843][perl #128889][perl #128890][perl #128893][perl #128909][perl #128919]

Use of a string delimiter whose code point is above 2**31 now works
correctly on platforms that allow this. Previously, certain characters,
due to truncation, would be confused with other delimiter characters
with special meaning (such as "?"
in m?...?), resulting
in inconsistent behaviour. Note that this is non-portable,
and is based on Perl's extension to UTF-8, and is probably not
displayable nor enterable by any editor.
[perl #128738]

@{x
followed by a newline where "x"
represents a control or non-ASCII
character no longer produces a garbled syntax error message or a crash.
[perl #128951]

In Perl 5.18, the parsing of "$foo::$bar"
was accidentally changed, such
that it would be treated as $foo."::".$bar
. The previous behavior, which
was to parse it as $foo:: . $bar
, has been restored.
[perl #128478]

Since Perl 5.20, line numbers have been off by one when perl is invoked with
the -x switch. This has been fixed.
[perl #128508]

Some obscure cases of subroutines and file handles being freed at the same time
could result in crashes, but have been fixed. The crash was introduced in Perl
5.22.
[perl #128597]

Code that looks for a variable name associated with an uninitialized value
could cause an assertion failure in cases where magic is involved, such as
$ISA[0][0]
. This has now been fixed.
[perl #128253]

A crash caused by code generating the warning "Subroutine STASH::NAME
redefined" in cases such as sub P::f{}undef*P::;*P::f =sub{};
has been
fixed. In these cases, where the STASH is missing, the warning will now appear
as "Subroutine NAME redefined".
[perl #128257]

Fixed an assertion triggered by some code that handles deprecated behavior in
formats, e.g., in cases like this:

Scalar keys%hash
can now be assigned to consistently in all scalar
lvalue contexts. Previously it worked for some contexts but not others.

List assignment to vec or substr with an array or hash for its first
argument used to result in crashes or "Can't coerce" error messages at run
time, unlike scalar assignment, which would give an error at compile time.
List assignment now gives a compile-time error, too.
[perl #128260]

Expressions containing an &&
or ||
operator (or their synonyms and
and or) were being compiled incorrectly in some cases. If the left-hand
side consisted of either a negated bareword constant or a negated do{}
block containing a constant expression, and the right-hand side consisted of
a negated non-foldable expression, one of the negations was effectively
ignored. The same was true of if and unless statement modifiers,
though with the left-hand and right-hand sides swapped. This long-standing
bug has now been fixed.
[perl #127952]

reset with an argument no longer crashes when encountering stash entries
other than globs.
[perl #128106]

Perl wasn't correctly handling true/false values in the LHS of a list
assign; specifically the truth values returned by boolean operators.
This could trigger an assertion failure in something like the following:

Fix error message for unclosed \N{
in a regex. An unclosed \N{
could give the wrong error message:
"\N{NAME} must be resolved by the lexer"
.

List assignment in list context where the LHS contained aggregates and
where there were not enough RHS elements, used to skip scalar lvalues.
Previously, (($a,$b,@c,$d) = (1))
in list context returned ($a)
; now
it returns ($a,$b,$d)
. (($a,$b,$c) = (1))
is unchanged: it still
returns ($a,$b,$c)
. This can be seen in the following:

Formerly, the values of ($a,$b,$d)
would be left as (11,undef,undef)
;
now they are (11,1,1)
.

Code like this: /(?{ s!!! })/
could trigger infinite recursion on the C
stack (not the normal perl stack) when the last successful pattern in
scope is itself. We avoid the segfault by simply forbidding the use of
the empty pattern when it would resolve to the currently executing
pattern.
[perl #129903]

Avoid reading beyond the end of the line buffer in perl's lexer when
there's a short UTF-8 character at the end.
[perl #128997]

Alternations in regular expressions were sometimes failing to match
a utf8 string against a utf8 alternate.
[perl #129950]

Known Problems

G++ 6 handles subnormal (denormal) floating point values differently
than gcc 6 or g++ 5 resulting in "flush-to-zero". The end result is
that if you specify very small values using the hexadecimal floating
point format, like 0x1.fffffffffffffp-1022
, they become zeros.
[perl #131388]

Errata From Previous Releases

Obituary

Jon Portnoy (AVENJ), a prolific Perl author and admired Gentoo community
member, has passed away on August 10, 2016. He will be remembered and
missed by all those who he came in contact with, and enriched with his
intellect, wit, and spirit.

It is with great sadness that we also note Kip Hampton's passing. Probably
best known as the author of the Perl & XML column on XML.com, he was a
core contributor to AxKit, an XML server platform that became an Apache
Foundation project. He was a frequent speaker in the early days at
OSCON, and most recently at YAPC::NA in Madison. He was frequently on
irc.perl.org as ubu, generally in the #axkit-dahut community, the
group responsible for YAPC::NA Asheville in 2011.

Kip and his constant contributions to the community will be greatly
missed.

Acknowledgements

Perl 5.26.0 represents approximately 13 months of development since Perl 5.24.0
and contains approximately 360,000 lines of changes across 2,600 files from 86
authors.

Excluding auto-generated files, documentation and release tools, there were
approximately 230,000 lines of changes to 1,800 .pm, .t, .c and .h files.

Perl continues to flourish into its third decade thanks to a vibrant community
of users and developers. The following people are known to have contributed the
improvements that became Perl 5.26.0:

The list above is almost certainly incomplete as it is automatically generated
from version control history. In particular, it does not include the names of
the (very much appreciated) contributors who reported issues to the Perl bug
tracker.

Many of the changes included in this version originated in the CPAN modules
included in Perl's core. We're grateful to the entire CPAN community for
helping Perl to flourish.

For a more complete list of all of Perl's historical contributors, please see
the AUTHORS file in the Perl source distribution.

Reporting Bugs

If you believe you have an unreported bug, please run the perlbug program
included with your release. Be sure to trim your bug down to a tiny but
sufficient test case. Your bug report, along with the output of perl -V
,
will be sent off to perlbug@perl.org
to be analysed by the Perl porting team.